#420 ns-slapd dirsrv_t netlink_route_socket denials
Closed: wontfix None Opened 11 years ago by rmeggins.

https://bugzilla.redhat.com/show_bug.cgi?id=840956 (389)

+++ This bug was initially created as a clone of Bug #740925 +++

Description of problem:

On directory server startup I'm seeing (in permissive mode):

type=AVC msg=audit(1316806800.921:105382): avc:  denied  { create } for
pid=2923 comm="ns-slapd" scontext=root:system_r:dirsrv_t:s0
tcontext=root:system_r:dirsrv_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1316806800.922:105383): avc:  denied  { bind } for  pid=2923
comm="ns-slapd" scontext=root:system_r:dirsrv_t:s0
tcontext=root:system_r:dirsrv_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1316806800.922:105384): avc:  denied  { getattr } for
pid=2923 comm="ns-slapd" scontext=root:system_r:dirsrv_t:s0
tcontext=root:system_r:dirsrv_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1316806800.922:105385): avc:  denied  { write } for
pid=2923 comm="ns-slapd" scontext=root:system_r:dirsrv_t:s0
tcontext=root:system_r:dirsrv_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1316806800.922:105385): avc:  denied  { nlmsg_read } for
pid=2923 comm="ns-slapd" scontext=root:system_r:dirsrv_t:s0
tcontext=root:system_r:dirsrv_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1316806800.922:105386): avc:  denied  { read } for  pid=2923
comm="ns-slapd" scontext=root:system_r:dirsrv_t:s0
tcontext=root:system_r:dirsrv_t:s0 tclass=netlink_route_socket

Did not appear to affect my operation so far.

Version-Release number of selected component (if applicable):
389-ds-base-1.2.9.9-1.el5
selinux-policy-2.4.6-316.el5

--- Additional comment from ksrot@redhat.com on 2011-10-06 09:58:55 EDT ---

> Did not appear to affect my operation so far.

Hi,
do you say it did not appear to affect your operation when in enforcing, right?
Thank you.

--- Additional comment from dwalsh@redhat.com on 2011-10-06 10:30:17 EDT ---

These avc's are often related to using getpw calls, and usually end up needing
auth_use_nsswitch()

--- Additional comment from orion@cora.nwra.com on 2011-10-06 10:48:51 EDT ---

(In reply to comment #1)
> > Did not appear to affect my operation so far.
>
> Hi,
> do you say it did not appear to affect your operation when in enforcing,
right?
> Thank you.

Correct, everything is apparently fine even in enforcing.

--- Additional comment from rmeggins@redhat.com on 2011-10-07 13:13:12 EDT ---

(In reply to comment #2)
> These avc's are often related to using getpw calls, and usually end up
needing
> auth_use_nsswitch()

So is there something that needs to be fixed in package 389-ds-base?

--- Additional comment from nkinder@redhat.com on 2011-10-07 13:22:57 EDT ---

(In reply to comment #4)
> (In reply to comment #2)
> > These avc's are often related to using getpw calls, and usually end up
needing
> > auth_use_nsswitch()
>
> So is there something that needs to be fixed in package 389-ds-base?

It sounds like we need to add auth_use_nsswitch() to the dirsrv_t policy in
selinux-policy, as we do call getpwnam() during startup of a DS instance.

--- Additional comment from mgrepl@redhat.com on 2011-10-18 14:41:01 EDT ---

Fixed in selinux-policy-3.7.19-118.el6.noarch

# sesearch -A -s dirsrv_t -t dirsrv_t -c netlink_route_socket
Found 1 semantic av rules:
   allow dirsrv_t dirsrv_t : netlink_route_socket { ioctl read write create
getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read } ;

--- Additional comment from errata-xmlrpc@redhat.com on 2011-12-06 05:19:26 EST
---

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html

set default ticket origin to Community

Added initial screened field value.

I can not reproduce any errors in /var/log/audit/audit.log or /var/log/messages when restarting 389 in "enforcing mode" on rhel 6.2.

Is there anymore information on this issue?

I can not reproduce this on rhel 5 with 389-ds-base-1.2.9.9-1.el5 with: selinux-policy-2.4.6-327.el5 or selinux-policy-2.4.6-316.el5

I believe they only appear in permissive mode.

I still can't reproduce it(forcing & permissive), but here is the selinux command to remove the policy that is causing the errors:

semodule -r dirsrv-admin
semodule -r dirsrv

Closing ticket.

Metadata Update from @mreynolds:
- Issue assigned to mreynolds
- Issue set to the milestone: 1.3.0

7 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/420

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Invalid)

3 years ago

Login to comment on this ticket.

Metadata